Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Updating Password policy in all child accounts

0

In my aws organization i have 100 aws accounts, i want to edit the password policy inside the IAM -> Access Management -> Account Setting. Is there any way to do that with less effort. may be from changing to all child account from master account. i dont want to go with script that runs through alla ccounts

Topics
Management & Governance
Tags
AWS Account Management
Language
English
asked 9 months ago381 views
2 Answers
2

Unfortunately, there is no direct way to update the password policy for all child accounts in an AWS Organization from the master account with a single action. Each AWS account has its own IAM password policy that must be configured individually.

However, there are a few approaches you can consider to manage this more efficiently:

  1. Use AWS Single Sign-On (SSO) instead of IAM users for account access. This allows you to centrally manage user access and apply consistent password policies across your organization.

  2. Implement an AWS Config Rule with AWS Systems Manager (SSM) auto-remediation documents to ensure ongoing compliance with the desired password policy across accounts.

  3. If you're using Infrastructure as Code (IaC) tools like Terraform or CloudFormation, you can define the password policy as part of your account creation process or take ownership of the password policy via IaC and define it consistently across accounts.

  4. After deploying the password policy, consider implementing a Service Control Policy (SCP) to prevent member accounts from modifying their IAM password policies, ensuring they remain consistent.

While these methods require some initial setup, they can help you maintain consistent password policies across your organization without needing to manually configure each account or rely on scripts that run through all accounts.
Sources
IAM Password Policies | AWS re:Post
update-account-password-policy for Organisation level | AWS re:Post

answered 9 months ago
EXPERT
reviewed 9 months ago
0
Accepted Answer

In my aws organization i have 100 aws accounts

Are all these 100 accounts under a single organisation in AWS Organisations? If they are, are you using Control Tower, and are all 100 accounts are enrolled in Control Tower?

Assuming the answer is still yes, you can look at using the baseline AWS-Landing-Zone-Baseline-IamPasswordPolicy described at https://aws.amazon.com/blogs/architecture/field-notes-extending-the-baseline-in-aws-control-tower-to-accelerate-the-transition-from-aws-landing-zone/

  • AWS-Landing-Zone-Baseline-IamPasswordPolicy

    • AWS Lambda to configure AWS Identity and Access Management (IAM) custom password policy (such as minimum password length, password expires period, password complexity, and password history in member accounts).

And one step beyond this, if you're using Landing Zone Accelerator then the password (and more) can be set in security-config.yaml - see the example on rows 85 thru 94 of https://github.com/awslabs/landing-zone-accelerator-on-aws/blob/main/reference/sample-configurations/lza-sample-config/security-config.yaml

iamPasswordPolicy:
  allowUsersToChangePassword: true
  hardExpiry: false
  requireUppercaseCharacters: true
  requireLowercaseCharacters: true
  requireSymbols: true
  requireNumbers: true
  minimumPasswordLength: 14
  passwordReusePrevention: 24
  maxPasswordAge: 90
EXPERT
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content